Australia's data retention law

In October 2015, Australian telecommunications providers were required by law to monitor and record metadata on their customers activity, then store it for two years. The data retention law means the country’s internet service providers and mobile carriers must keep logs of the following:

  • Who you called, texted, and emailed
  • When you made those calls, texts, and emails
  • Your location
  • Volume of data exchanged
  • Information about the device you use
  • Your email address
  • Your IP address

Some of this surveillance is impossible to avoid without abstaining from the internet altogether. Your ISP probably already recorded your data volume and device information before this law even came into effect to help optimize network resources. Your ISP also assigns you an IP address, so it will always know your approximate location. This simply cannot be avoided.

So how can you maximize privacy? We recommend using a VPN, encrypted OTT communication apps, and avoiding your ISP’s email service.

Use an encrypted OTT messaging app

“OTT” stands for “over-the-top”. This means messages are sent over the internet and not through your telco’s phone and text network. Unlike standard text messaging, many OTT messaging apps are encrypted. If anyone happens to intercept one of your messages before it reaches the intended receiver–be they a government agency or a hacker–they will not be able to decipher it.

Encrypted OTT messaging apps include Signal, WhatsApp, Telegram, and Viber. These alternatives allow you to bypass government monitoring of who you communicated with and when.

Use OTT voice calls when possible

Many of the messaging apps we mentioned also give users the option to make free voice calls over the internet rather than a traditional telephone network. As with messaging, voice-over-IP (VoIP) call metadata is not monitored or recorded under Australia’s data retention law.

We realize it’s not always practical to make Skype, Viber, Signal, or WhatsApp calls. You won’t be calling from your normal phone number, after all, so it’s a pain to get people to call you back. But for one-off calls, they are a good solution.

VoIP calls require a lot of data, so it’s best to use them when you’re connected to wifi.

Note that only Signal encrypts calls, while the rest remain unencrypted and readable by any third party who intercepts them. If you want to maximize privacy of VoIP calls, use Signal.

Don’t use your ISP’s email service

Your internet service provider might have offered you an email address to use with your internet when you sign up. Don’t use it. Email data retention is the least-clear part of the law, which means it could be abused when left open to interpretation.

Get a free Gmail or Outlook account, instead. If you’re serious about privacy and don’t want Google or Microsoft skimming through your email, either, run a private email server or join a privacy-focused provider like Proton Mail. You can also set up PGP or S/MIME email encryption if your contacts are tech savvy enough to know how to decrypt it.

VPNs not as helpful as you think

We think it would be great if everyone in the world used a VPN. Short for virtual private network, a VPN encrypts all of a device’s internet traffic and routes it through an intermediary server in a location of your choosing. This has the effect of masking your location and IP address plus making it impossible for anyone who intercepts your internet traffic to decipher its contents.

Strictly within in the context of Australia’s data retention laws, however, a VPN won’t be a hugely effective workaround. We’ve seen a ton of articles around the web spouting nonsense about how a VPN solves all your problems and prevents government spying under the 2015 law, but that just isn’t true.

Let’s take a look at the two core components of what a VPN does: changing your IP address and encrypting traffic. Note that Tor suffers from the same pitfalls in this scenario.

Related: What is the best VPN for Australia?

IP masking

The caveat here is that a VPN only changes your IP address after passing through the VPN server. For your traffic to get to that server in the first place, it must first pass through your ISP’s pipes. To do that, your ISP must first assign you an IP address.

This means that while websites, apps, and other online services see your VPN server’s IP address, your ISP still knows your real IP address and can pinpoint your approximate location. There is simply no practical way to get around this.

Channel encryption

This would be an effective means of preventing your internet service provider from spying on the contents of your internet traffic. But according to the text of Australia’s data retention law, the contents of your internet traffic are not being recorded. Only metadata, including when you connect to the internet, how much data you transfer, and some details about your device are monitored. A VPN cannot hide these metadata.

Now, we’re not saying that the government couldn’t conceivably overstep its bounds and start covertly spying on Australians’ online activity. That’s what the NSA has been doing in the United States for years, after all. In that case, a VPN would protect you. But purely in the context of this law, VPN encryption isn’t going to help much.

Not just terrorism

As of January 26, 2016, just three months after the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 became law, freedom of information requests revealed 61 Australian government-affiliated agencies had made requests for metadata. Those agencies’ core responsibilities range far beyond law enforcement and fighting extremism. One application for metadata, in particular, drew heavy criticism. The National Measurement Institute requested access to ensure that supermarkets properly weighed cuts of lamb and did not skimp on portion sizes.

The Post Office, Taxi Services Commission, and an animal cruelty prevention organization are among the other agencies arbitrarily granted law enforcement status, and thus given warrantless access to the telecommunication records of the entire country’s residents. The agencies only need to fill out a short request form and send it to a telco to get their hands on data.

The law has been likened to the United Kingdom’s Investigatory Powers Act that recently came into effect at the end of 2016. Both laws were enacted in the name of fighting terrorism. The UK counterpart is far more invasive, however. It requires internet service providers keep records of customer’s web histories and allows for the bulk interception of telecommunications data. In contrast, the Australian data retention law does not allow the contents of calls, texts, and web histories to be recorded. Instead, it focuses solely on metadata.